Idle thoughts – Unstructured musings from Joel Dunn…

Category Archives: Technology

When I did a Facebook post on this topic a couple days ago, I promised to write it up a bit more thoroughly. So, if you read the FB post, you can skip this, or not. 😉

The entertainment systems I’ve cobbled together over time have worked, but only with directions written and taped to the bottom of of the 4 remotes on the end table. Needless to say, it’s not been a recipe for marital harmony. Let’s just say that I have a higher tolerance for a multi-remote control system than my dear wife!

This year in early March, one of my sons (who is more of a geek than me) suggested after a visit that it was too complicated and he agreed with his mother. He showed me a high end version of a Logitech remote, but I just couldn’t hang with the $250 price for something I was sure would not work. Not much happened until I was headed to a conference for a few days…and it was made clear to me that something needed to be simplified!

So, when I returned I looked again at the Logitech remotes and saw that there was a simpler version without a touchscreen remote. I ordered the Harmony Companion, and it brought harmony to the house!

It truly works! I set up 5 different programs – one to set up for music streaming from Alexa, one for the TV (we use an LG TV, OTA programming, and a TiVo), one for AppleTV, and two for Roku, one to launch HBO Now, and one to launch Amazon Prime. I have a Chromecast also in the Denon receiver (actually, I have three of them all in different TVs), but never use it so no program yet for that.

Programming the remote involves a set of “activities,” which are multidevice sequences of actions to set the stage for the activity. You can control lights, etc as a part of an activity if you have compatible tech, but my Smartlife WiFi outlet sockets don’t work with it. It does apparently support and understand remote commands for just about any device with a remote control.

I did my setup on my iPad, and apparently that’s easier than the computer-based setup per the reviews. The UI allows you to select devices and actions as a part of the activity. The problem is that it doesn’t allow you to delete or move a step, though can add or modify a step. My TV sequence involved a bit of tweaking as when you turn on the TiVo and TV, the TV doesn’t sync to the HDMI input unless you do another source switch a few seconds later. So I had to turn on the TV, the receiver, the TiVo (with a different source), the delay several seconds (there is a delay command for just this type of situation), and then switch to the TiVo input. The iPad app crashed several times while I was doing the activity setup; it’s the weakest part of the system.

I also set up the Alexa skill and sync’d the accounts. This is another area that doesn’t provide as much control as I’d like. When you set it up, you get to choose keywords used in the invocation, but there’s no way to edit this after setup, at least that I’ve found. It also takes a few minutes for the accounts to sync. But it works! “Alexa, turn on the TV” does so, and “Alexa, turn on Tunes” sets up things for Alexa to use the receiver. With the TV and other such activities, you can also tell Alexa to “turn up the volume on the TV” and it will adjust the receiver volume setting.

The Companion remote has three activity buttons, shown as “music,” “TV,” and “movies” but using icons. You can short press or long press the button and that will give six activity invocations.

The remote talks to the base with Bluetooth, and the base emits IR/RF/Bluetooth to control devices. Per the directions, you can place the base with other components , and the IR reflects off the room and does not have to point to the targets.

So, this really does work. This particular version controls up to 8 devices. It sells for $100-$130 and has brought “harmony” to my house!

I’ve not written anything about ChromeOS since I retired. I was talking with my wife about Chromebooks recently, and that got me thinking about the state of ChromeOS. I did a quick bit of Googling and tried to brush off a few years of Chrome cobwebs. Interesting that Chromebook sales were well over 2 million in 2016 (more than Macs), and have taken a big chunk of the education marketplace, tho that’s unsurprising given the price, managability, longevity, and robustness.

Honestly, even though I’m still working part time in technology management, I’ve found I play with tech less and less in my spare time. I try to play more, fish more, travel more…but I think that fishing is still getting too small a slice of time 😉 . I’ve still got the same two Chromebooks, the Samsung and Acer mentioned here in this blog. We’ve used them on and off, but I’m amazed in some respects that these devices, from 2012 and 2013 respectively are still very viable and useable, and that the Chromebook specs (other than CPU speed) have not increased. The things that make a Chromebook useful (full browser, quick boot, malware resistance, etc.) are still viable in 2017. If someone just needs to browse and do email, it’s hard to beat a Chromebook and a basic internet connection.

It will be interesting to see what happens with Android apps on ChromeOS, but for that I will need to buy a new Chromebook 🙂

My last visit to see Jason, Jenny and Sierra was more expensive than usual. We came back and bought a yogurt maker and an Echo Dot after seeing both in service there. Well, they are both pretty cool and cheap, really 😉
I want to talk about the Echo Dot here; we’ll do a review of the Dash yogurt maker later, after we eat the first batch of yogurt. We’ve had the Dot for about 36 hours, so we’ve not done extensive integration yet, and I don’t have a lot of smart devices to control. However, I can say that I’m pretty impressed with the Alexa service and the Dot hardware.

The Echo Dot is a tiny device with few external controls. Setup was very easy through the iOS app. Just, plug it in, connect to the Dot’s ad hoc network, set up the Wifi credentials, log in to Amazon, and that’s pretty much it. Alexa recognized both my voice commands and Jan’s out of the box, with no training. Hooked up Pandora, connected to a Bluetooth speaker, tried TuneIn Radio, weather reports (had to set zip code as by IP address it thinks we are in Winston-Salem), sports, alarm, kitchen timer, etc. The Echo Dot works well from across the room when addressed in a natural voice. Kitchen commands will be very handy when you need some information and your hands are greasy.

Alexa doesn’t have the sense of humor that Siri has, tho!

Tonight I set up the “Todoist” app, which manages todo’s, shopping lists, etc. I think this will be very useful. Todoist syncs very quickly, with a shopping list item or a todo appearing on the app on my iPhone or Jan’s iPhone within seconds of the voice command to Alexa. I have enabled a purchase PIN so we don’t accidentally buy anything from Amazon 😉

We’ll take it to the beach next weekend and try integration with the Nest thermostats there.

For $49.99 this is really cool, and I can see why Ford is putting Alexa in cars in 2017/18. I’m getting used to saying “Alexa, play smooth jazz on Pandora, please” and “Alexa, stop” when ready to turn it off. This is the best “tech toy” I’ve seen in a long time!

Today’s the first hard freeze we’ve had this year. It’s maybe a little late…our first frost average is late October (the 23rd for Chapel Hill, with a standard deviation of 10 days), and we’ve had some light frost 3 or 4 days already), but this morning was down in the mid-20’s. So it’s a good day to sit around until the sun gets warm and “farm” some of my technology…updates, catchup, etc.

I host (but don’t curate) a website for the Boy Scout troop I used to run (Troop 449) and they Committee is starting a cub pack, and they wanted to reserve the domain, which I ordered up. I realized that the troop’s website hadn’t had a software update in a while (someone else *should* have been doing that) and I needed to update several things, including configuring the automatic backups (always backup before an update!). Had to re-remember how to set up Google Drive APIs for the upload – I’ve done this for several websites that send file backups to Google Drive, but seems like the Google API UI/UX is different each time I go there. Have plugins to update on several other websites, so I’m doing that. Needed to review my other domain names to make sure I still needed/wanted everything there. Needed to double-check the PHP version settings. Checked on another domain name I’d ordered; it’s one of the new ones, a “.blog” that won’t be ready until 11/21.

Last night I set up a new printer. I had an old Xerox phaser 8560 that was about 10 years old, and it wouldn’t print cleanly any more, the nozzles that deposit the melted wax (it uses the crayon-style media) were clogged in places, meaning colors were funky. Still printed black, but took forever to warm up, used a lot of power, etc. Replaced it with a little Brother 3140CW color laser for $170. Supports AirPrint, Google CloudPrint, plays nice with Macs w/o external drivers. Was a very easy install, runs fast and quiet, rated for ~19 pages per minute. I looked at fancier devices but we print very little these days…however sometimes we do need to print and this will take care of things nicely. The old printer could handle AirPrint thru a shim on the iMac (Printopia) but this is simpler and much quicker.

Lots of other things going on, have a Raspberry Pi 3 that’s fun…a gig of memory and a 32 gig microSD, and builtin WiFi and Bluetooth. A lot faster and more capable than my old 1 gen Pi B (both CPU speed and memory). What a heckuva Linux box in a pack (with case) the size of a deck of cards. The IoT is going to be fun but will be lots more things like the DDoS on Dyn back in October.

Speaking of hacks and protecting devices, I am now running Webroot on my Macs for antimalware. Seems to be a good fit, lightweight and fast, tho I think that the PC version is more efficient. Does reputational check on web links, which is good, as phishing, spear phishing, etc. can catch the best of us. Also just licensed Webroot for the small software firm I work part-time for; it has a nice management console in the business version.

So that’s enough for now. I needed a blog post and this is the best I could do this morning 😉

The Panama Papers data leak has already snared many rich and powerful folks who have been using questionable means to hide wealth beyond taxation and scrutiny. However, that’s not what I want to write about here. I certainly find the abuse of wealth and power to be an issue, and much ink is being spilled on this. I want to focus instead on information security, and in particular, the vectors likely used to extract the data from the law firm Mossack Fonseca. What happened here was not some sort of uber-secret hacking, but was a simple process of exploiting well known vulnerabilities in WordPress plugins and in a particular version of Drupal core that was found to have severe vulnerabilities in October 2014.

WordPress and Drupal are both extremely popular content management systems (CMS). Your correspondent runs several websites using both these systems, and this blog runs on WordPress. Both systems are robust, reliable, and have huge ecosystems of “plugins” or “modules” that can be used to extend basic functionality of the system in a myriad of ways. These extensions provide visual appeal (image sliders and other tools), spam control, and even database functions for storing information about the user community. If you can imagine it, someone out there has probably written a WordPress Plugin or Drupal Module that can help you bring that functionality to your site. However, with great power comes great responsibility 🙂 .

One of the banes of any technology system is maintenance and patching. This can be to fix bugs, to add functionality, or, increasingly, to patch the seemingly never-ending list of security holes. WordPress and Drupal are no exception, and in fact, both are big targets. Of the two, WordPress is far more prevalent, with over 75 million sites and growing rapidly. Drupal runs one million sites. From a security exposure perspective, WordPress is in my opinion a bigger problem. WordPress is extremely easy to install, and takes much less study to create interesting sites than does Drupal, and as such, many sites are set up by individuals and groups who don’t appreciate the rigor of site maintenance. I’m not writing this post to favor WordPress or Drupal. I like both, and both have strengths and weaknesses. This brings us back full circle to what happened with Mossack Fonseca.

In a word, the problem was maintenance. The likely vector that lead the Panama Papers hackers to Mossack Fonseca’s email servers was thru unpatched and well-known vulnerabilities in WordPress plugins. The Drupal exposure likely led to client documents, and could have been a bit more forgivable from an IT perspective, as the exposure was from the core weakness in Drupal versions prior to 7.31, a part of the “Drupalgeddon” exposure of huge numbers of Drupal sites…except that Mossack Fonseca is still (at the time of this writing) running Drupal 7.23 from August 2013!

Wordfence, an organization that provides security plugins and services for WordPress, has done an excellent writeup of how the Panama Papers hacks unfolded, and it’s well worth a read, especially if you are responsible for either doing website maintenance or if you are concerned about the security of the sites you or your organization run.

The sad fact is that it’s just so easy to do maintenance on both WordPress and Drupal that not maintaining sites is highly unprofessional. Wordfence provides an excellent plugin that notifies you when a monitored site needs a core update or plugin update. Many updates can be configured to run automatically. Running manually is a simple matter of logging in and then doing a couple of clicks! Drupal is just about as easy, though a Drupal core update is a bit more involved than a WordPress core update, currently needing a separate program (Drush) to handle the core update.

Maintenance of websites is a necessary job, just as is maintenance of any other technology asset. Think of it as changing the oil and checking the tire pressure in your car. If you know how, do it yourself. If you need to hire someone else to do it, then do so…but ensure that it is done, or you and your company may wind up in the news one day…

As I wrote here previously, I’ve been exploring the APRS (Automatic Packet Reporting System) Ham Radio system. I noted that while I had the Kenwood TH-D72 radio configured correctly, it was not reliably getting its packets to the nearest digipeater to be ingested into the APRS/APRS-IS world. I suspected it was an antenna issue, as I was using the “rubber duck” that came with the radio. I replaced that with a Diamond SRH77CA and that’s made a huge difference. I’ve used it to have a “chat” with another local APRS user several miles away, though via the digipeaters, it’s possible to have a digital chat with an APRS user much further away (depending on mutual routing settings). Additionally, I noted that when the radio was inside a vehicle, it was unlikely to successfully send a packet unless the digipeater was just a couple miles away. So, I also got a Diamond MR73S, a small magnetic-mount external antenna with an SMA connector. With that on top of my truck, the APRS “smart beaconing” works perfectly, sending status packets with information that reliably shows position and turns. Interesting stuff.

I’ve been experimenting with APRS (Automatic Packet Reporting System) on HAM Radio. Interesting stuff! Essentially, it is a system that provides situational awareness and context for radio-enabled devices by capturing “beacons” from devices such as mobile radios, fixed point radios, weather stations, satellites, antennas, and creating a data stream that’s used to create a geo-enabled map of devices in real time…an organic “Internet of Things” (IoT) joined in the radio spectrum. As Bob Bruninga, the father of APRS says:

“Since the primary objective is consistent exchange of information between everyone, APRS established standard formats not only for the transmission of POSITION, STATUS, MESSAGES, and QUERIES, it also establishes guidelines for display so that users of different systems will still see the same consistent information displayed in a consistent manner (independent of the particular display or maping system in use)”

There are gateways to the traditional Internet for email, but the value of APRS is in the dynamic resource map it populates to RF contacts in the local area (and through data added to the APRS-IS, the Internet system, and thus generally available), and its ability to send messages between participants. It’s a peer-to-peer network that can grow organically with the addition of “digipeaters” to relay traffic, but still provides station to station information. As the APRS Wikipedia article states, “Anyone may place any object or information on his or her map, and it is distributed to all maps of all users in the local RF network or monitoring the area via the Internet.”

It does depend on access to a digipeater, and one thing I’ve found in a couple days of testing is that my HT 5w Kenwood TH-D72 transmits to the nearest repeater from Emerald Isle with sketchy regularity. It’s 10 air miles, and the standard antenna on the TH-D72 is reliably receives APRS packets from KD4KTO-4, but seems to get them there irregularly. Next week, I’ll be back in the Chapel Hill area, and it will be interesting to see how things fare there. I’ve ordered a better antenna for the radio as well, and that should help considerably with transmit range.

As my faithful readers know 😉 , I really like the Apple Watch. I wrote in September about getting the wrist detection working again, and it’s been great since then…with one exception. Without wrist detection enabled, you can’t use Apple Pay (it won’t let you store cards without wrist detection enabled). When I turned wrist detection off, before that fix with OS 2, my Apple Pay configuration went away; that’s the way it works. This doesn’t sound so bad, but then when wrist detection was back, I couldn’t add cards to Apple Pay. They would be stuck being “activated.”

I did a fair bit of Googling on it, and it appeared to be an issue with some bit of iPhone storage not getting completely cleared out with card removal. Supposedly a restore of the phone fixed things for many folks. However, I didn’t want to go to the trouble to do that, so I just ignored that one missing feature. After December’s Watch and iOS updates, I decided to try again and lo and behold, it worked! I loaded up some cards and went Christmas shopping on Friday. Woohoo! I’m a happy camper.

Since the Paris terrorist attack and then the San Bernardino shootings (which now are confirmed to be an internationally inspired terrorist attack by a US lifetime resident and citizen) there has been much discussion among talking heads on screen and in print about needing to be able to eavesdrop on all communications. Many pundits, candidates, and congressmen have jumped all over this bandwagon, calling for more surveillance and calling for means to access any encrypted communication. Many of these same advocates for eavesdropping are ardent supporters of the 2nd Amendment, but forget about the rights for the people to communicate, assemble, and be protected from unreasonable searches and seizures (1st and 4th Amendments). However, putting aside the legal issues and politics that are wrapped up in the issue, this is technically a very bad idea.

First, let’s consider encryption alone, without considering some sort of backdoor or key escrow. Encrypted communication has been with us as long as there has been writing, and really, it’s been with us as long as there has been spoken language. Fundamentally, it’s communication that can’t be deciphered due to some sort of obfuscation. This can manifest itself as something intelligible only to the communicating parties such as a jumble of letters or symbols, or some common words (spoken or written) to which is ascribed a common, secret meaning known only to the communicating parties. The common thread here is that there is some shared knowledge that can be used by the communicating parties to extract the hidden meaning, either a shared secret or knowledge of the location of a message. Cryptography is an old art, dating back several thousand years (see also this article for more history). There are a myriad of non-digital ways to hide information, and a quick overview of the Wikipedia article on Steganography can be quite illuminating to the uninitiated, although computers have opened up many new avenues for the practices. Classic encryption took the form of a shared secret (a word, phrase, words on pages of a book, etc.) that could be used to encrypt and decrypt the coded message. Innovative ways of doing this, and in particular changing the shared key, made such messages very secure. In the digital world, this is called symmetric key cryptography.

Widespread use of computers has created many types of communications where information needs to be shared, but also protected, and this brought about the rise of public key cryptography (a pair of algorithmically related keys) and digital signatures as a means of solving the shared secret conundrum. A fundamental point that you should take away, however, is that in the digital world, encryption, whether with a shared secret or a public keys, it boils down to algorithms implemented in computer code. This is embedded in tools you use every day on your computer. Whenever you see a “lock” or other security symbol in the URL display of your browser, you are seeing the results of these algorithms implementing public key encryption. There are many algorithms for cryptography throughout cyberspace that are in the public domain and can be used by anyone. A quick trip to Google will show you this. Likewise, many derivative works exist that are not cataloged. Herein lies the first lesson. The US does not “own” cryptography, or algorithms, and there are many freely available algorithms and code implementations of those algorithms that are beyond the reach of US laws. Efforts to constrain or to weaken encryption will not affect those who want to hide their communications. Just as toolkits are available for the propagation of computer malware (another interesting story!), toolkits for encryption are available and will remain available regardless of legislation. To paraphrase a saying of supporters of 2nd Amendment rights, “when encryption is outlawed, only outlaws will have encryption.”

We have seen this week a revelation that Juniper Networks found at least one “backdoor” in their router/firewall operating system, that had been there since at least 2012. What was the source of this intrusion? Probably nation-state hackers. Who? Good question. Why? Putting such code in network appliances gives, as the article says, the ability for the owner of the exploit to access resources behind the firewall, the ultimate target. So, how are these thoughts connected? If there is a backdoor in a network appliance, it can allow someone to bypass controls. The fact that this exploit went unnoticed for years speaks to the difficulty of checking for such intrusions. Likewise, if there was a backdoor engineered into an encryption system, as is promulgated on various fronts today, it would be vulnerable to misuse and unauthorized access. This would impact the security and privacy of legitimate users who are using the encryption system. Would it improve security? I think not, as those who are really concerned about eavesdropping on their conversations will take additional measures, such as using internationally sourced tools (or tools written by a trusted colleague), or by simply obfuscating the messages that are carried by the communication system. We have a backdoor to access the communications path, but we can’t see anything (at least prospectively) other than innocuous communication (remember steganography?). The value of a backdoor in encryption systems in preventing terrorist attacks is thus minimal, and the breakdown in the privacy of communications for others is significant.

Conversely, focusing not on the content, but rather the patterns of communication (the so-called metadata) or observing other external phenomena does have value. If someone is communicating with known terrorists or in places frequented by such individuals, that can and should raise a red flag. Then, traditional methods of surveillance can then be employed, including bypassing the encryption challenge by placing “taps” (malware) on a suspect’s devices and thus viewing the decrypted messages. That still leaves the challenge of obfuscated messages, but it is more useful. Much can be learned by observations of patterns and metadata. A classic example is determining the likelihood of imminent military action by observing the number of evening pizza deliveries to the Pentagon.

In summary, encryption has been with us since the beginning of communication. Computers are tools used in encrypting messages, but have not changed the fact that those planning activities where they want secret communications have many channels available to them. Sophisticated actors will layer protections on their communications, and simple backdoors to our personal devices or encryption tools will not pierce that veil. If backdoors are in place, we run the very significant risk that those backdoors will be used by actors other than the intended “official” users, and we have thus compromised the security of all and gained little or none in return.

I’ve been a happy Apple Watch user since I got mine on June 1st. While there were limitations in the apps, the promise of exciting functionality was there. It quickly became indispensable. I found texting to be a killer app, and I used the fitness tracker daily. I found a tide table app that’s perfect for helping with coastal fishing and boating. However, three weeks ago, the wrist detection process stopped working. I tried all the “home remedies” I could Google up, to no avail. I wiped and reloaded, I stood on my head while putting it on my wrist–not really, but you get the idea. I had to turn off wrist detection as one thing it did was stop workout tracking when it locked after 15 seconds. Turning off wrist detection also turned off Apple Pay (not that I’ve used it more than twice, to buy coffee at McDonald’s). I thought about sending it in for replacement (the hive mind was split between software errors and sensor errors) but decided to wait for the OS 2 update, betting that it was a software error (or a deep config setting that the wipe did not update). So, after a nearly 2 week delay in the release of the OS, it was available today, and I’m pleased to say wrist detection is working perfectly again.